The group left a message on PasteBin revealing the full extent of the intrusion, which includes thousands of email and password combinations, personal information (including names, addresses, dates of birth and phone numbers), nearly 3.5 million “music coupons” and over 60,000 “music codes”. The group also announced that Sony’s security was overcome by a simple SQL injection attack.
In, the group said: “SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?”
The group also stated: “Every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it. This is disgraceful and insecure: they were asking for it.”
The group has released much of the plundered data, though these only contain a small amount of the compromised data. Full databases have also been posted online, along with a database layout text document to aid the extraction of data. The database contains both military and government email and password combinations, and also admin accounts to Sony Pictures Online.
The following excerpt was taken from the “FILE CONTENTS.txt” document that accompanies LulzSec’s limited release:
Contents of our plunder:
## Sony_Pictures_International_AUTOTRADER_USERS.txt ##– In this file you will find just under 12,500 customers of Sony;this includes dates of birth, addresses, emails, full names,passwords, user IDs, and personal phone numbers.
## Sony_Pictures_International_BEAUTY_USERS.txt ##– In this file you will find just under 21,000 customers of Sony;this is a simple email/password drop. Enjoy your account stealing.
## Sony_Pictures_International_COUPONS.txt ##– In this file you will find just under 20,000 Sony music coupons;please note that there are 3.5 million coupons to take – get ’em.
## Sony_Pictures_International_DELBOCA_USERS.txt ##– In this file you will find just under 18,000 customers of Sony;this is a simple email/password drop. Again, enjoy your stealing.
## Sony_Pictures_International_MUSIC_CODES.txt ##– In this file you will find just under 67,000 Sony music codes;they’re like magnets, we simply have no idea how they work.
## Sony_Pictures_International_TABLE_LAYOUT.txt ##– In this file you will find the layout of the database;that means you can easily see where to steal things from.
Note that the database contains far more user information/couponsthan we took. The point is that we had control of them; all of them.We leave the rest up to you – steal as much as you want, go forth!
## Sony_BMG_Music_Entertainment_NETHERLANDS ##– This file contains the user database of BMG Netherlands;it’s around 600 usernames, emails, and passwords. Enjoy.
## Sony_BMG_Music_Entertainment_BELGIUM ##– This file contains the Sony admin database of BMG Belgium;also lots of barcodes, release dates, and other juicy shit.
The group were also responsible for several other recent security breaches, including the defacement of the Public Broadcasting Service (PBS) website and Sony Music of Japan. Sony has acknowledged the claims and is said to be investigating.
Source: LulzSecurity.com / @LulzSec
Think you could do a better job of security? Angry with Sony for not protecting your information? Angry with the hackers for stealing it in the first place? Vent some steam in the comments below!